b'                        U.S. Environmental Protection Agency \t                                                   12-P-0836\n                                                                                                         September 20, 2012\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review                    EPA Should Improve Management Practices\nWe sought to determine to what\n                                          and Security Controls for Its Network Directory\nextent the U.S. Environmental             Service System and Related Servers\nProtection Agency (EPA)\nimplemented a management                   What We Found\ncontrol structure for its directory\nservice infrastructure. We also           The Office of Environmental information (OEI) is not managing key system\nsought to determine what steps            management documentation, system administration functions, the granting\nEPA took to identify and disable          and monitoring of privileged accounts, and the application of environmental\nuser accounts that are no longer          and physical security controls associated with its DSS. OEI is not keeping\nneeded.                                   management documentation associated with the DSS current and complete,\n                                          and does not have an effective process for maintaining this documentation.\nA directory service provides a            Further, OEI is not performing user account administration practices for the\ncentralized location to store             DSS, and does not have a management oversight process to ensure that the\ninformation about the users,              regions and program offices are managing their delegated responsibilities in\ncomputers, and other equipment on         accordance with Agency and federal requirements. The Office of\na network and provides integrated         Administration and Resources Management\xe2\x80\x99s (OARM\xe2\x80\x99s) Human Resources\nservices that are used to manage          and Contractor Management systems and processes are not linked to the\nnetwork users, services, and              user account management function. OEI is also not managing the delegation\ndevices. EPA uses a commercial            of DSS logging and monitoring processes. Lastly, OEI is not ensuring that\noff-the-shelf product for its directory   environmental and physical security controls are applied to protect the\nservice system (DSS). EPA                 authentication and authorization servers.\nimplements this system using\nmultiple servers placed in various         Recommendations and Agency Corrective Actions\nlocations on its network to provide\nenterprise-wide authentication and        We recommended that OEI and OARM management undertake a number of\nauthorization.                            corrective actions to improve its management of, and correct specific\n                                          deficiencies associated with, the Agency\xe2\x80\x99s DSS.\nThis report addresses the\nfollowing EPA Goal or                     OEI and OARM management concurred with all recommendations, other\nCross-Cutting Strategy:                   than two associated with environmental and physical security controls, and\n                                          completed or agreed to take corrective actions to address the\n\xef\x82\xb7 Strengthening EPA\xe2\x80\x99s Workforce           recommendations with which they concurred.\n  and Capabilities\n                                          OEI indicated that the particular physical and environmental controls are not\n                                          its responsibility. We disagree. The DSS Authentication and Authorization\n                                          servers belong to OEI, and OEI is responsible for managing this equipment.\n                                          Therefore, OEI needs to ensure that these controls are in place.\n\n                                          Due to the sensitive nature of the report\xe2\x80\x99s security findings, the full report is\n                                          not available to the public.\nFor further information, contact\nour Office of Congressional and\nPublic Affairs at (202) 566-2391.\n\x0c'